Dude111
An Awesome Dude
Premium
join:2003-08-04
USA
 ·Time Warner VOIP
|  Trojans,spyware,etc......
It all is very scary how this crap can just install itself on your computer!!
My mom was using the XP this morning doing some research and all of a sudden she started saying "Whats going on??"
I went into the room and ANTIVIRUS PRO 2009 HAD INSTALLED and was throwing up porn popups,etc....... (Thats a fake virus program that tries to say your PC is infected,etc)
I told my mom to relax as i did a system restore to June 16th and it was gone.....
My mom doesnt know much about computers or i would try to explain to her about SURFING WITH SCRIPTS DISABLED.. (Much safer)
She uses IE7 and when i use that computer,i use Firefox 1.5 (WITH SCRIPTS DISABLED) as i dont like IE7 at all....... (And ff1.5 is alot like MyIE2 (My favourite browser))
Spysweeper didnt seem to stop this fake ANTIVIRUS 2009 from installing...... (Thats what is on there)
Its all quite scary the level these scumbags go thru to hurt people and thier computers!! |
|
Its a Secret
Whatever
Premium
join:2008-02-23
U B Funny
 ·Shaw
| You may want to run MalwareByte's and HijackThis on her computer to make sure it's all gone.
Or better yet, go to »Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance and do the full monty.
Best of luck!
--
"In the future, that which is not mandatory will be illegal"
"Nobody knows the age of the human race, but everybody agrees that it is old enough to know better" - Anonymous |
|
La Luna
Surviving Ashraful
Premium
join:2001-07-12
Warwick, NY
clubs:
1 edit | reply to Dude111
when i use that computer,i use Firefox 1.5
FF 1.5 is way out dated and probably not as safe as the newer(est) version(s). You should up date that as well. |
|
ahulett
Life Without Walls
Premium
join:2003-02-02
Bellevue, WA
| and update the things around it, like Flash, Java, Windows???...
//A
This post is provided "AS IS" without warranty, and confers no rights.
--
Aaron Hulett | Malware Researcher | Microsoft Malware Protection Center
This posting is provided "AS IS" without warranty, and confers no rights. |
|
VikingBob
join:2004-06-05
Ste Anne, MB | Exactly... Secunia PSI will help with that task. |
|
Shriyash
Sungazer
Premium
join:2005-02-23
PuNe, InDiA
2 edits | reply to Dude111
There is a certain google/yahoo search engine redirect rootkit doing the rounds, its like an epidemic.
Some identify it as SKYNET/TDSS/gxvxc rootkit. Very nasty.
»community.norton.com/norton/boar···id=59550
A couple of my friends have encountered it as well in the last couple of weeks.
A little OT, but just thought i'd add that in. |
|
ahulett
Life Without Walls
Premium
join:2003-02-02
Bellevue, WA
1 edit | There is always something going around. There is no down period.
It's like your car. You always lock the door. We don't have periods where we leave the car unlocked because there's no reports of car theft... we lock the door no matter what, because it helps protect it and its contents.
And, if someone we know has items stolen from inside their car, and we find out they left the doors unlocked, we immediately think, "Geez, umm, you kind of earned that one, you didn't lock the door."
But yet we don't think this way about protecting our computers.
How come? Well, to help prevent someone from stealing items from your car, on many cars nowadays, one just pushes a button on their keychain remote, the doors lock, the car alarm activates and they're all set (or more accurately, they feel they're all set). This doesn't exist, exactly, for PCs.
Security programs tried heading in that direction by pulling together the important aspects of things, mainly antimalware, firewall, installing system updates and taking data backups, providing one-button fixes when things needed attention, and even there things aren't done yet, such as updating third party applications and browser plug-ins. Just as with our cars, even though we lock the doors, we should hide valuables, or even take them with us rather than leave them in the car to tempt those passing by.
Of course, once you have antimalware, firewalls, updates installed and backups made, you're not done yet. You're never done. Remember, the moment you think you're secure is the moment you're most vulnerable. And to use the original post as an example, you might say run Firefox with scripts disabled, and you may even update to the latest version of Firefox, but that's ok, the 'bad guys' can come in via Flash, or as an attachment in an email that looks like it came from your mom's bank, or if they're lucky enough, SneakerNet will get things in there.
Which is why my other post asked about updating other things, as it appears the solution was to simply roll back to an earlier state, move on and dangerously assume the malware didn't survive the rollback. Its a Secret  has it right... you're not done yet. Going back to the car analogy, someone broke the passenger window, and you replaced it, but you haven't looked around in the car yet to see if anything else is missing or damaged, or if something NEW is in there monitoring you driving.
I hope, that in the long run, you're thinking beyond the browser and looking at a full security solution which includes an antimalware scanner, an inbound firewall, installing system updates, updating third-party software, including browsers and their add-ons, and EDUCATING your mom on how to both recognize attempts to infect (such as by a malicious web page or a fradulent email or instant message), and even more importantly, what to do if she suspects she's infected, even if the first step is simply, "Call you." Remember, you're still not done at this point, but if you get here, you're sitting pretty good in my personal opinion.
//A
--
Aaron Hulett | Malware Researcher | Microsoft Malware Protection Center
This posting is provided "AS IS" without warranty, and confers no rights. |
|
fatdcuk
Premium
join:2005-02-20
England
2 edits | reply to Dude111
Excellent explanation Aaron,
I would like to add one extra point though as we're well aware even legitimate websites can be compromised and host attack code.
There is still the elevated risk from the dark side of the web @ pr0n,Keygens,Warez site etc
So becareful where you choose to park that car !
Certain neighbourhoods represent higher risk of theft or vandalism...
--
Ade Gill
Malwarebytes Researcher |
|
Dude111
An Awesome Dude
Premium
join:2003-08-04
USA
·Time Warner VOIP
2 edits | reply to Dude111
Well doing a system restore REPLACES ALL FILES ON THE COMPUTER.....
So when i did a restore to June 16th,that anti-virus program WAS NOT ON THE COMPUTER.. (The computer is fine now)
I was actually surprised the fake anti-virus program DID NOT DELETE ALL RESTORE POINTS!! (Most of them do this so you cannot get rid of it) |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
| said by Dude111 :Well doing a system restore REPLACES ALL FILES ON THE COMPUTER..... if only, see what gets or not restored
»www.kellys-korner-xp.com/xp_restore.htm
Cudni
--
"what we know we know the same, what we don't know, we don't know it differently."
Help yourself so God can help you.
Microsoft MVP, 2006 - 2009 |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
 ·AT&T Midwest
| reply to Dude111
I went into the room and ANTIVIRUS PRO 2009 HAD INSTALLED and was throwing up porn popups,etc....... (Thats a fake virus program that tries to say your PC is infected,etc) It didn't "just install". She had to click on something before it would install.
Admittedly, it's a nasty and tends to put the browser in a loop that you cannot break out of except by installing or killing the browser process, or logout then log back in and let Windows kill the browser process. Perhaps a bit more education is in order, so she knows how to avoid this in future.
--
AT&T dsl; Speedstream 5100b modem; openSuSE 11.0; firefox 3.0.11 |
|
graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL | reply to Dude111
If you run logged in as a user with administrative rights you are asking for trouble. Do you? |
|
Dude111
An Awesome Dude
Premium
join:2003-08-04
USA | reply to Dude111
I really dont know what the account runs at (There isnt an account setup,it auto goes to desktop when booted (I assume its on the admin account)) |
|
ahulett
Life Without Walls
Premium
join:2003-02-02
Bellevue, WA
| reply to Cudni
Further details, for both now and for those later reading the thread that would like to know more.
Windows Help and How-to
What types of files does System Restore change?
»windowshelp.microsoft.com/Window···033.mspx
Excerpt:
System Restore can make changes to Windows system files, registry settings, and programs installed on your computer. It also can make changes to scripts, batch files, and other types of executable files on your computer. Personal files, such as documents, e‑mail, photos, and music files, are not changed. Microsoft Knowledge Base Article 955063
What is System Restore?
»support.microsoft.com/kb/959063
Excerpt:
System Restore is a Microsoft® Windows® tool designed to protect and repair the computer software. System Restore takes a "snapshot" of the some system files and the Windows registry and saves them as Restore Points. When an install failure or data corruption occurs, System Restore can return a system to working condition without you having to reinstall the operating system. It repairs the Windows environment by reverting back to the files and settings that were saved in the restore point.
Note: It does not affect your personal data files on the computer. (Yes, I see the extra 'the' in 'of the some system files' - I'll open an edit request with the Knowledge Base team to call attention to it.)
Microsoft Knowledge Base Article 306084
How antivirus software and System Restore work together
»support.microsoft.com/kb/306084
And from KB Article 555367 at »support.microsoft.com/kb/281616:
For a full list of all the files that are excluded from the System Restore procedure, view the following file:
%SystemRoot%\System32\Restore\Filelist.xml Although I can't find that file in that location on my Windows 7 machine, so it may only apply to Windows XP Professional as shown in the article's Applies To section.
//A
--
Aaron Hulett | Malware Researcher | Microsoft Malware Protection Center
This posting is provided "AS IS" without warranty, and confers no rights. |
|
ahulett
Life Without Walls
Premium
join:2003-02-02
Bellevue, WA
| reply to Dude111
I'll guess, then, that during the Out Of Box Experience (OOBE) a single user name was entered rather than two or more. The fact it's logging in automatically suggests the account has no password associated with it, or the password is stored in the registry for auto-login, such as by using TweakUI.
In any case, if you'd like to investigate running as a limited user, I suggest setting up a separate account rather than convert this one. This way, if there's a blocking issue or some other thing that requires administrator privileges, you can easily log in with the other account and keep going.
//A
--
Aaron Hulett | Malware Researcher | Microsoft Malware Protection Center
This posting is provided "AS IS" without warranty, and confers no rights. |
|
Rebirth
join:2009-06-18
33333
| 
No show & scripting |
Some usefull links there.
This »support.microsoft.com/kb/281616 is a no show ?
And whilst we're on the subject listed on there, why does MS insist on using pages that require scripting, when they could be made without ? Scripting, ActiveX and iframes are the Malware merchants best friends !
On here http://support.microsoft.com/kb/959063 it states ( The utility creates restore points once a day by default. ) I have a PC with XP on it i've been using for a couple of years, and it NEVER did this once. Only after these events
installing software
updating hardware drivers
installing new hardware drivers
manual creations of restore points
I'm also on a Vista PC right now, and it only does the same ?
Also on quite a number of occasions i've needed to do a SR for people after Malware infections etc. Quite often ALL the SR events have dissapeared, big problems as you can imagine. Can't MS properly protect these in future, they already should be. For example they could be encrypted and be made free from tamper/deletion.
Thanks |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
| said by Rebirth :And whilst we're on the subject listed on there, why does MS insist on using pages that require scripting, when they could be made without ? Scripting, ActiveX and iframes are the Malware merchants best friends ! the same reason all other sites have it, to enhance. Just javascript is sufficient for those pages
Cudni
--
"what we know we know the same, what we don't know, we don't know it differently."
Help yourself so God can help you.
Microsoft MVP, 2006 - 2009 |
|
Rebirth
join:2009-06-18
33333
| Cudni
enhance ?
Enhance what. Pages can be made perfectly fine, and SAFER ( well by people who know how to ) without scripting. For eg, with CSS.
Anyway my post was a direct reply to Ahulett, so i look forward to his responses on the points i raised. Thanks |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
| said by Rebirth :Enhance what. Pages can be made perfectly fine, and SAFER ( well by people who know how to ) without scripting. For eg, with CSS. even better in txt format, keep it simple
Cudni
--
"what we know we know the same, what we don't know, we don't know it differently."
Help yourself so God can help you.
Microsoft MVP, 2006 - 2009 |
|
ahulett
Life Without Walls
Premium
join:2003-02-02
Bellevue, WA
| 
Windows 7 Enterprise Build 7100 x64 via Windows Internet Explorer 8. |
This »support.microsoft.com/kb/281616 is a no show ? On my end, it opens properly and is searchable (see attached snip image). The direct link should work: »support.microsoft.com/kb/281616
//A
--
Aaron Hulett | Malware Researcher | Microsoft Malware Protection Center
This posting is provided "AS IS" without warranty, and confers no rights. |
|
